在本文为主要介绍DLA服务关联角色(AliyunServiceRoleForOpenAnalytics)的应用场景以及如何删除服务关联角色。

背景信息

DLA服务关联角色(AliyunServiceRoleForOpenAnalytics)是在某些情况下,为了完成DLA自身的某个功能,需要获取其他各种各样的云服务的访问权限,而提供的RAM角色。更多信息请参见服务关联角色

应用场景

DLA作为阿里云数据湖分析产品,提供Serverless Presto和Spark的核心产品功能,需要为用户打通、连接、关联各种各样的阿里云数据源和各种云服务产品(OSS、OTS、RDS、ADS、ODPS、ECS、VPC、RAM、MQ等),从而实现数据湖的各种各样的功能。因此,DLA会在用户开通DLA服务的时候,自动化的帮助用户在DLA内部创建好服务关联角色,从而极大的提高用户体验。

查看DLA服务关联角色

  1. 登录Data Lake Analytics管理控制台
  2. 概览页面右上角单击选项按钮。
  3. 跨云服务授权页面查看DLA服务关联角色信息:
    • 角色名称:AliyunServiceRoleForOpenAnalytics
    • 角色权限策略:AliyunServiceRolePolicyForOpenAnalytics
    • 权限说明如下:
      ​{
  "Version": "1",
  "Statement": [
    {
      "Action": "ram:DeleteServiceLinkedRole",
      "Resource": "*",
      "Effect": "Allow",
      "Condition": {
        "StringEquals": {
          "ram:ServiceName": "openanalytics.aliyuncs.com"
        }
      }
    },
    {
      "Action": [
        "ram:ListUsers",
        "ram:GenerateCredentialReport"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "oss:GetBucket",
        "oss:GetBucketAcl",
        "oss:GetBucketLocation",
        "oss:GetBucketInfo",
        "oss:GetBucketLogging",
        "oss:GetBucketWebsite",
        "oss:GetBucketReferer",
        "oss:GetBucketLifecycle",
        "oss:GetBucketEncryption",
        "oss:GetBucketStat",
        "oss:GetBucketMetadata",
        "oss:GetBucketTagging",
        "oss:GetBucketVersioning",
        "oss:GetSimplifiedObjectMeta",
        "oss:GetObjectMetadata",
        "oss:GetBucketStorageCapacity",
        "oss:GetBucketEncryption",
        "oss:GetObject",
        "oss:GetObjectMeta",
        "oss:GetObjectAcl",
        "oss:GetSymlink",
        "oss:GetObjectTagging",
        "oss:GetService",
        "oss:ListObjects",
        "oss:ListMultipartUploads",
        "oss:ListParts",
        "oss:ListBuckets",
        "oss:ListVpcip",
        "oss:ListVersions",
        "oss:GetBucketCname",
        "oss:GetBucketRequestPayment",
        "oss:GetBucketVpcip",
        "oss:DoesBucketExist",
        "oss:DoesObjectExist",
        "oss:ListObjectsV2",
        "oss:SelectObject",
        "oss:HeadObject",
        "oss:PutBucket",
        "oss:PutObject",
        "oss:PutObjectTagging",
        "oss:CopyObject",
        "oss:InitiateMultipartUpload",
        "oss:UploadPart",
        "oss:UploadPartCopy",
        "oss:CompleteMultipartUpload",
        "oss:AbortMultipartUpload",
        "oss:RestoreObject",
        "oss:PostObject",
        "oss:UploadFile",
        "oss:DownloadFile",
        "oss:AppendObject",
        "oss:DeleteObject",
        "oss:DeleteObjects"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "alikafka:PUB"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "rds:DescribeDBInstances",
        "rds:DescribeDBInstanceAttribute",
        "rds:DescribeDBInstanceNetInfo",
        "rds:DescribeDBInstanceHAConfig",
        "rds:DescribeDBInstanceIPArrayList",
        "rds:ModifySecurityIps",
        "dds:DescribeDBInstances",
        "dds:DescribeDBInstanceAttribute",
        "dds:DescribeSecurityIps",
        "dds:ModifySecurityIps",
        "polardb:DescribeDBClusters",
        "polardb:DescribeDBClusterAttribute",
        "polardb:DescribeDBClusterEndpoints",
        "polardb:DescribeDBClusterAccessWhitelist",
        "polardb:ModifyDBClusterAccessWhitelist"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "mns:GetQueueAttributes",
        "mns:GetTopicAttributes",
        "mns:GetSubscriptionAttributes",
        "mns:ListQueue",
        "mns:ListTopic",
        "mns:ListSubscriptionByTopic",
        "mns:SendMessage",
        "mns:PublishMessage"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "mq:PUB"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "dbs:DescribeBackupPlanList",
        "dbs:DescribeFullBackupList",
        "dbs:DescribeIncrementBackupList",
        "dbs:DescribeRestoreTaskList",
        "dbs:DescribeBackupGatewayList"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "ots:GetRow",
        "ots:BatchGetRow",
        "ots:GetRange",
        "ots:GetShardIterator",
        "ots:GetStreamRecord",
        "ots:ListStream",
        "ots:ListTable",
        "ots:ListSearchIndex",
        "ots:DescribeStream",
        "ots:DescribeTable",
        "ots:DescribeSearchIndex",
        "ots:ComputeSplitPointsBySize",
        "ots:CreateTable",
        "ots:UpdateTable",
        "ots:DeleteTable",
        "ots:PutRow",
        "ots:UpdateRow",
        "ots:DeleteRow",
        "ots:BatchWriteRow",
        "ots:CreateIndex",
        "ots:DropIndex",
        "ots:CreateSearchIndex",
        "ots:DeleteSearchIndex",
        "ots:Search"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "log:ListProject",
        "log:ListLogStores",
        "log:ListShipper",
        "log:GetCursorOrData",
        "log:BatchGetLog",
        "log:GetShipper",
        "log:GetShipperConfig",
        "log:BatchGetLog",
        "log:DeleteShipper",
        "log:CreateShipper"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "ecs:CreateNetworkInterfacePermission",
        "ecs:DeleteNetworkInterfacePermission",
        "ecs:CreateNetworkInterface",
        "ecs:DescribeNetworkInterfaces",
        "ecs:DescribeSecurityGroups"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "vpc:DescribeVSwitches",
        "vpc:DescribeVpcs"
      ],
      "Resource": "*",
      "Effect": "Allow"
    }
  ]
}​

删除服务关联角色

当您尝试删除服务关联角色(AliyunServiceRoleForOpenAnalytics)时,您需要进行如下操作:
  • 关闭当前Region和其他所有Region的DLA服务,因为DLA是以用户账号维度来判断SLR的关联性。
  • 删除服务关联角色,具体操作请参见服务关联角色